Solved

MTU SETTING

Posted on 2006-11-20
5
948 Views
Last Modified: 2013-11-16
Right now our MTU on the pix is 1500 on inside and outside.

The cisco vpn client sets up at 1300 by default.

What will it effect by changing it from 1500 to 1300 to match the vpn client default?

We use sbs echange and remote web workplace internally.

I figured its easier to change it on the pix itself, rather than re-writing the install client to match the 1500 setting on the pix. I am about to be rolling out a lot of these vpn clients so i wanted to make it as smooth as possible. Please let me know what's best and what will be effected by the change being made at the firewall. Thanks in advance.
0
Comment
Question by:jaysonfranklin
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
ID: 17982851
I would highly recommend leaving the PIX interface at the default and letting the VPN client software change the client end. The clients will typically be connecting from almost anywhere. It's the network endpoint closest to the user that can affect the MTU.
I have never seen any valid reason to change the firewall's MTU with the lone exception of DSL/PPPoE connections where the PIX itself is the PPPoE client and the MTU gets adjusted to 1492 to account for the extra 8-byte PPPoE overhead.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 17982895
So, do you think leaving the vpn clients setting at 1300 while the pix outside int is at 1500 isnt a big deal?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17983027
I do not think it is a big deal. I think it is the right thing to do.
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 100 total points
ID: 17983391
Leave both MTUs alone.  If there ever becomes a case where an intermediary MTU is low enough to cause fragmentation, then there's something called PMTU Discovery that will help you out.
PMTU Discovery is a process by which a client negotiates optimum MTU with a server by means of ICMP messages.
Fortunately for us, it's built into all modern TCP/IP stacks (PIX, VPN Client and DSL networks included!), so there's really no need to muck around with MTUs anymore.  It was a bit different 10 years ago with dial-up connections, and paranoid sec admins who disabled ICMP.  But these days, one would hope things are different.  Apart from the last bit.  I still come across the odd setup where an admin has incorrectly disabled all ICMP at his/her perimeter.  It's not called 'Internet Control' MP for nothing!  :)

0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 100 total points
ID: 17984886
Agree with others on leave it alone unless there is other reasons. Now if you are thinking about changing it because your VPN Client has 1300 and PIX at 1500.

You have to imagine the connection. Say a normal packet will be 1500 odd but when you have ipsec vpn into it, you're adding more fields in it and the packet gets a little bigger, so in order to avoid fragmentation it is better to have it as 1300 (which even I find it very optimal to work while I'm in India and the pix is in US especially with voip clients).

As well, the connection type of the vpn client needs to take this into consideration. I'm sure it will be lower than the pix site ?

Cheers,
Rajesh
0

Featured Post

Watch Anatomy of a Wi-Fi Hack On-Demand

In less than a weekend, anyone with Internet access and some free time can become a Wi-Fi MitM to wreak havoc on your network. View our Wi-Fi Expert in an on-demand episode of our Secure Wi-Fi mini-series as he explores the motives, execution, and anatomy of a Wi-Fi hack.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question